Senior Information Security Risk Auditor - Hybrid in MN and/or DC

Optum is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by diversity and inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health equity on a global scale. Join us to start Caring. Connecting. Growing together.

The Senior Information Security Risk Auditor (Control Design & Effectiveness) is a senior individual contributor responsible for independently assessing, validating, and improving the design and operating effectiveness of information security controls across the enterprise. This role conducts risk-based audits and advisory reviews focused on control architecture, implementation, and continuous monitoring-ensuring alignment with enterprise risk appetite, leading frameworks (e.g., NIST CSF, ISO/IEC 27001), and readiness for external assurance (e.g., SOX/SOC). The auditor partners with control owners, risk leaders, and technology teams to identify design gaps, quantify residual risk, recommend pragmatic remediations, and track closure against defined SLAs. This role is highly visible and requires strong analytical rigor, domain expertise, and the ability to translate complex technical and governance topics into clear, actionable insights for senior stakeholders.

You will enjoy the flexibility to telecommute* from anywhere within the U.S. as you take on some tough challenges.

Primary Responsibilities:

Control Design & Effectiveness

• Plan and execute risk-based assessments of control design and operating effectiveness across critical security domains (e.g., identity, access, network, cloud, data protection)
• Validate controls are designed to mitigate identified risks and align with regulatory and internal requirements
• Review control documentation, evidence, and automation guardrails for completeness and accuracy
• Recommend improvements to control design for scalability, automation, and resilience
• Ensure controls map to applicable frameworks (NIST CSF, ISO 27001) and regulatory obligations (SOX, SOC 2)

Compliance & Evidence Alignment

• Conduct quarterly control effectiveness reviews and produce dashboards showing adherence rates and aging gaps
• Drive closure of control deficiencies identified during audits or regulatory reviews within defined SLAs
• Validate alignment of controls to risk statements, frameworks, and obligations

Stakeholder Engagement & Communication

• Facilitate control governance councils and working groups to ensure alignment across business units
• Develop executive-ready summaries highlighting control effectiveness, risk implications, and required actions
• Provide training and awareness sessions to reinforce control requirements and accountability

Core Responsibilities

• Serve as the subject matter expert for control design and effectiveness
• Ensure interoperability between control governance processes and enterprise GRC platforms
• Continuously improve control assurance practices through automation, dashboards, and AI-enabled insights
• Act as liaison with regulatory affairs, internal audit, and risk management teams for control-related inquiries

Core Competencies

• Control Design Expertise: Deep understanding of security control architecture and regulatory frameworks (NIST, ISO, NYDFS, SOX)
• Risk & Compliance Acumen: Ability to map controls to risks, evidence, and regulatory obligations
• Analytical Skills: Proficient in assessing control effectiveness, identifying gaps, and driving remediation
• Communication & Influence: Skilled at translating complex control requirements into clear, actionable guidance for senior stakeholders
• Tooling & Automation Awareness: Experience with GRC platforms, control testing workflows, and evidence automation concepts (e.g., policy-as-code/cloud guardrails)

You'll be rewarded and recognized for your performance in an environment that will challenge you and give you clear directions on what it takes to succeed in your role as well as provide development for other roles you may be interested in.

Required Qualifications:

• Bachelor's degree in Information Security, Risk Management, Business OR an equivalent number of 7 years of experience
• 7+ years of progressive experience in information security auditing, risk management, or compliance, with direct experience assessing control design and effectiveness
• 4+ years of experience leading risk-based audits, producing executive-ready reports, and driving timely remediation in complex, regulated environments
• 4+ years of experience working cross-functionally with control owners, risk teams, and technology stakeholders in a matrixed organization
• Advanced level of experience with GRC tools, control testing methodologies, and cloud security baselines; familiarity with SOX/SOC evidence requirement

Preferred Qualifications:

• Professional certifications such as CRISC, CISA, CISSP, or CIA

*All Telecommuters will be required to adhere to UnitedHealth Group's Telecommuter Policy.

Pay is based on several factors including but not limited to local labor markets, education, work experience, certifications, etc. In addition to your salary, we offer benefits such as, a comprehensive benefits package, incentive and recognition programs, equity stock purchase and 401k contribution (all benefits are subject to eligibility requirements). No matter where or when you begin a career with us, you'll find a far-reaching choice of benefits and incentives. The salary for this role will range from $91,700 to $163,700 annually based on full-time employment. We comply with all minimum wage laws as applicable.

Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records. 

Application Deadline: This will be posted for a minimum of 2 business days or until a sufficient candidate pool has been collected. Job posting may come down early due to volume of applicants.

At UnitedHealth Group, our mission is to help people live healthier lives and make the health system work better for everyone. We believe everyone-of every race, gender, sexuality, age, location, and income-deserves the opportunity to live their healthiest life. Today, however, there are still far too many barriers to good health which are disproportionately experienced by people of color, historically marginalized groups, and those with lower incomes. We are committed to mitigating our impact on the environment and enabling and delivering equitable care that addresses health disparities and improves health outcomes - an enterprise priority reflected in our mission.

UnitedHealth Group is an Equal Employment Opportunity employer under applicable law and qualified applicants will receive consideration for employment without regard to race, national origin, religion, age, color, sex, sexual orientation, gender identity, disability, or protected veteran status, or any other characteristic protected by local, state, or federal laws, rules, or regulations.

UnitedHealth Group is a drug - free workplace. Candidates are required to pass a drug test before beginning employment.

#RPO #GREEN